# 



EK381 33951 OUS 



CLAIMS 

What is claimed is: 
siNv \L .„ A method for sending a data packet from a first member 

v 

2 /of a wrtual private network to a second member of said virtual 

3 private\ network comprising the steps of: 

4 \ receiving said data packet enroute to said second 

5 member; \ 

6 determining that said data packet is being sent between 

7 members of said virtual private network; 

8 determining the packet manipulation rules for packets 

9 sent between members of said virtual private network; 

10 forming a secure data packet by executing said packet 

11 manipulation rul^es on said data packet; and 

12 forwardVng said secure data packet to said second 

13 member of said virtual private network, 

14 wherein said data packet contains information of a 

15 source address and a\destination address of said data packet. 

1 2 . The method according to claim 1 wherein said step of 

2 determining that said daca packet is being sent between members 

3 of said virtual private network comprises the step of comparing 

4 the source and destination^ addresses of the data packet to 

5 addresses stored in a virtual private network address table. 
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3 . The method according to claim 1 wherein said step of 
determining the packet manipulation rules comprises the step of 

3 accessing a lookup table that maintains information identifying 

4 compression, encryption and authentication algorithms to be 

5 utilized for data packets sent between members of the virtual 

6 private network. 



1 4. Theynethod according to claim 3 wherein said step of 

2 forming a secure data packet comprises the steps of: 

3 encrypting at least a payload portion of the data 

4 packet according Vo the identified encryption algorithm; and 

5 providing authentication information for the data 

6 packet according to\the identified authentication algorithm. 

1 5 . The method according to claim 3 wherein said forming a 

2 secure data packet includes the step of concealing the source and 

3 destination addresses of \the data packet according to the 

4 identified packet manipulation rules. 



1 6 . A method for recovering an original data packet from a 

2 secure data packet sent betweafi members of a virtual private 

3 network comprising the steps ofV 

4 receiving said secure flata packet; 

5 determining the packet manipulation rules for packets 

6 sent between members of said virtual private network; 
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inal data packet by manipulating the 

8 secure data\ packet by reversing the identified packet 

9 manipulation^ rules; and 

10 forwarding the recovered data packet to its 

11 destination, \ 

12 wherein said source data packet contains information of 

13 a source address\ and a destination address of said secure data 

14 packet . \ 

1 7. The method according to claim 6 wherein said step of 

2 determining the packet manipulation rules comprises the step of 

3 accessing a lookup table that maintains information identifying 

4 compression, encryption and authentication algorithms to be 

5 utilized for data packets sent between members of the virtual 

6 private network. \ 

1 8. The method according to claim 7 wherein said recovering 

2 step includes the step of recovering the source and destination 

3 addresses of the original data packet when they have been 

4 concealed. \ 

1 9. A system for securely exchanging data packets between 

2 members of a virtual private network group comprising: 

3 a first computer at a Virst site, said first computer 

4 having a first network address; \ 
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iated with said first site for 
routing dat^i packets originating from said first computer over a 
public network; 

a first virtual private network unit disposed between 
said first router and said public network, said first virtual 
^pwfedrfc network unit for identifying virtual private network group 
data traffic and nor securing said data traffic by manipulating 
said data traffic according to packet manipulation rules 
maintained by said mrst virtual private network unit; 

a second router associated with a second site for 
coupling said second sVte to the public network; 

a second virtual private network unit disposed between 
said second router and tne public network for intercepting 
network traffic destined for said second site, said second 
virtual jxufeilc network unift for detecting virtual private network 
group traffic and for recovering original packet data; and 

a second computer at: said second site, said second 
computer having a second network address for receiving said 
packet data, \ 

wherein said data packat contains information of a 
source address and a destination atddress of said data packet. 

10. The system of claim 9 wherein said first and second 
virtual private network units include means for verifying that 
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irst and second network addresses are both members of said 
virtual private network group. 

11. Vhe system of claim 10 wherein said first and second 
virtual private network units each have an associated network 
addresses, sard network traffic utilizing the virtual private 
network addressees to conceal the identity of the first and second 
network addresses\ 
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